## Writeup

The service contains two vulnerabilities. I hope for that:)

### Vulnerable 1

#### Summary

First vulnerability affected PyJWT module ([JWT](https://en.wikipedia.org/wiki/JSON_Web_Token) 
implementation in Python). PyJWT from 2.0.0 to 2.3.0 contains some security issues which allow you
to perform key confusion attack by change **ed25519** asymmertic algorithm to symmetric algorithm **HS256**. 

The service set up JWT value to *access_token* cookie value after log in. Take it. After decoding we can see additional 
keys in claims. The key "is_admin" looking as something interesting. Default value - False. We have a few sensitive 
routes which need admin permission: */api/flags* and */api/users*. 

First of all, you need to get the public key. You can find it in route with same name (*/public_key*). After 
that you need just change claims key 'is_admin' to True, set up public key as key and algorithm as HS256. That`s all. 
Now you can get flags from */api/flags*  

Exploit available [here](./exploit_1.py).  


**Hint**: Requirements.txt contains [pip-audit](https://github.com/pypa/pip-audit). It`s useful python module
for scanning Python environments for packages with known vulnerabilities. You can just run it and receive 
something like that:
```bash
Found 1 known vulnerability in 1 package 
Name  Version ID             Fix Versions
----- ------- -------------- ------------
pyjwt 2.3.0   PYSEC-2022-202 2.4.0
```
You could just google the vulnerable id and find security advisory with PoC! 

#### How to fix?

Upgrade PyJWT to 2.4.0 version. Always be explicit with the algorithms that are accepted and expected when decoding.

#### Useful resources

- More about JWT with useful debugger: https://jwt.io/
- PYSEC-2022-202 / CVE-2022-29217 description and PoC: https://github.com/jpadilla/pyjwt/security/advisories/GHSA-ffqj-6fqr-9h24
- Additional examples of vulnerabilities in JSON Web Token Libraries: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
- Additional examples of vulnerabilities in JSON Web Token Libraries: https://habr.com/ru/post/450054/

### Vulnerable 2

#### Summary

This code in route */users/\<uid\>* looking not great:
```python
...
def get_user(uid):
    user = db.engine.execute(f'SELECT * FROM "web-user" WHERE id = ' + uid)
    results = user.fetchone()
...
```
Obvious we have disadvantages with filtering and can perform SQL Injection attack. Just collect flags from 'flag' table 
using UNION keyword.

Exploit available [here](./exploit_2.py).

**Hint**: You can use Postgres [STRING_AGG](https://www.postgresqltutorial.com/postgresql-aggregate-functions/postgresql-string_agg-function/) 
function for aggregating all flags from database.

#### How to fix?

Use [ORM](https://en.wikipedia.org/wiki/Object%E2%80%93relational_mapping) as in other routes. This code looks much better:
```python
...
def get_user(uid):
    return jsonify(User.query.get_or_404(id).to_dict())
...
```

You can also fix it by using parameterized queries. Other recommendations you can see below.

#### Useful resources

- Good entry point to SQLi: https://portswigger.net/web-security/sql-injection
- How to prevent SQL Injection attacks by Positive Technologies: https://www.ptsecurity.com/ww-en/analytics/knowledge-base/how-to-prevent-sql-injection-attacks/
- ORM is not enough: https://snyk.io/blog/sql-injection-orm-vulnerabilities/
